To stoke maximum fear, Android-Trojan.Koler.A uses geolocation
functions to tailor the warnings to whatever country a victim
happens to reside in. The screenshot to the right invoking the
FBI, for instance, is the notice that's displayed on infected
phones connecting from a US-based IP address. People in Romania and
other countries will see slightly different warnings. The malware
prevents users from accessing the home screen of their phones,
making it impossible to use most other apps installed on the phone.
The normal phone functions in some cases can be restored only when
the user pays a "fine" of about $300, using untraceable payment
mechanisms such as Paysafecard or uKash.

The functions in Koler.A have been obfuscated to slow down the
process of analysing exactly how the malware works. Still, there's
no evidence that the malware encrypts any files on a phone's
storage.

"The ransomware's main component is a browser view that stays on
top of all other applications, Bitdefender Senior E-Threat Analyst
Bogdan Botezatu wrote in an e-mail. "You can press Home and go to
the homescreen, but a timer would bring it back on top in about
5 seconds. I managed to uninstall it manually by swiftly going
to applications and dragging the icon on the Uninstall control, but
it only works if the application icon is on the first row.
Otherwise, one wouldn't have the necessary time to drag it to the
top, where the uninstall control is located."

The malicious Android Package is automatically downloaded when
people visit certain pornography sites using an Android phone. The
sites then claim that the APK installs a video player used for
premium access. To be infected, a user must change Android settings
to allow out-of-market apps and then manually install the APK. The
social engineering trick has already claimed at least 68 victims in
the past six hours -- 40 in the United Arab Emirates, 12 in the UK,
six in Germany, five in the US, and the rest in Italy and
Poland.

Koler.A is another reminder that Android users are quickly being
targeted by the same malware and social engineering attacks that
have plagued Windows users for years and more recently have started
migrating to those using Macs. People should remain highly
cautious when downloading Android apps, especially those
available from sources other than the official Google Play
Store.